@MISC{_thecramer-shoup,

author = {},

title = {The Cramer-Shoup Encryption Scheme is Plaintext Aware in the Standard Model},

year = {}

}

Abstract. In this paper we examine the security criteria for a KEM and a DEM that are sufficient for the overall hybrid encryption scheme to be plaintext-aware in the standard model. We apply this theory to the Cramer-Shoup hybrid scheme acting on fixed length messages and deduce that the Cramer-Shoup scheme is plaintext-aware in the standard model. This answers a previously open conjecture of Bellare and Palacio on the existence of plaintext-aware encryption schemes. 1 Introduction Plaintext awareness is a simple concept with a difficult explanation. An encryp-tion scheme is plaintext aware if it is practically impossible for any entity to produce a ciphertext without knowing the associated message. This effectivelyrenders a decryption oracle useless to an attacker, as any ciphertext submitted for decryption must either be invalid or the attacker must already know thedecryption of that ciphertext and so does not gain any information by querying the oracle. Thus a scheme that is plaintext aware and semantically secure shouldbe secure against adaptive attacks. There are two problems with this simplistic approach. Firstly, if we wish toachieve the IND-CCA2 definition of security for an encryption scheme, then we have to be careful about how we define plaintext awareness, because, in thismodel, the attacker is always given one ciphertext for which he does not know the corresponding decryption (the challenge ciphertext). It is usually compara-tively simple to achieve plaintext awareness when you do not have to consider the attacker as able to get hold of ciphertexts for which he does not know thecorresponding decryption. We will follow the notation of Bellare and Palacio [4] and term this PA1 plaintext-awareness. A scheme that is IND-CPA andPA1 plaintext aware is only IND-CCA1 secure [4]. It is a lot harder to prove plaintext-awareness in full generality, when the attacker has access to an oraclethat will return ciphertexts for which the attacker does not know the corresponding decryption, especially if the attacker has some measure of control overthe probability distribution that the oracle uses to select the messages that it encrypts. This is termed PA2 plaintext awareness.

standard model cramer-shoup encryption scheme plaintext aware plaintext awareness corresponding decryption security criterion ind-cpa andpa1 plaintext aware control overthe probability distribution difficult explanation introduction plaintext awareness plaintext-aware encryption scheme pa1 plaintext-awareness ind-cca2 definition cramer-shoup scheme encryption scheme cramer-shoup hybrid scheme overall hybrid encryption scheme simple concept associated message encryp-tion scheme secure shouldbe secure adaptive attack pa2 plaintext awareness fixed length message open conjecture ind-cca1 secure simplistic approach full generality challenge ciphertext decryption oracle useless

Developed at and hosted by The College of Information Sciences and Technology

© 2007-2019 The Pennsylvania State University